In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.
AI analysis not yet available
Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.
No Fix Known
No patch has been released yet. Apply workarounds or mitigations where available.
| Vendor | Product | Versions | Fixed In |
|---|---|---|---|
| apache | batik | 1.0 - 1.10 | - |
| debian | debian_linux | - | - |
| debian | debian_linux | - |
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
41
Affected Products
34
References
apache / batik
| - |
| debian | debian_linux | - | - |
| canonical | ubuntu_linux | - | - |
| oracle | business_intelligence | - | - |
| oracle | business_intelligence | - | - |
| oracle | business_intelligence | - | - |
| oracle | business_intelligence | - | - |
| oracle | communications_diameter_signaling_router | 8.3 | - |
| oracle | communications_metasolv_solution | - | - |
| oracle | communications_webrtc_session_controller | 7.2 | - |
| oracle | data_integrator | - | - |
| oracle | enterprise_repository | - | - |
| oracle | enterprise_repository | - | - |
| oracle | financial_services_analytical_applications_infrastructure | 7.3.3.0.0 - 7.3.3.0.2 | - |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.0.0.0 - 8.0.7.1.0 | - |
| oracle | fusion_middleware_mapviewer | - | - |
| oracle | fusion_middleware_mapviewer | - | - |
| oracle | instantis_enterprisetrack | - | - |
| oracle | instantis_enterprisetrack | - | - |
| oracle | instantis_enterprisetrack | - | - |
| oracle | insurance_calculation_engine | - | - |
| oracle | insurance_calculation_engine | - | - |
| oracle | insurance_policy_administration_j2ee | - | - |
| oracle | insurance_policy_administration_j2ee | - | - |
| oracle | jd_edwards_enterpriseone_tools | - | - |
| oracle | retail_back_office | - | - |
| oracle | retail_back_office | - | - |
| oracle | retail_back_office | - | - |
| oracle | retail_back_office | - | - |
| oracle | retail_central_office | - | - |
| oracle | retail_integration_bus | - | - |
| oracle | retail_order_broker | - | - |
| oracle | retail_order_broker | - | - |
| oracle | retail_order_broker | - | - |
| oracle | retail_order_broker | - | - |
| oracle | retail_point-of-service | - | - |
| oracle | retail_point-of-service | - | - |
| oracle | retail_point-of-service | - | - |
| oracle | retail_returns_management | - | - |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability
Impact